You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "picpoc (JIRA)" <ji...@apache.org> on 2013/05/14 02:51:16 UTC
[jira] [Updated] (SHIRO-435) SecurityManager is not a singleton in
ShiroWebModule
[ https://issues.apache.org/jira/browse/SHIRO-435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
picpoc updated SHIRO-435:
-------------------------
Attachment: SHIRO-435.path
Patch proposal to fix the double SecurityManager singleton. Also prevent the same issue on Environment. Update test cases of ShiroWebModule accordingly.
> SecurityManager is not a singleton in ShiroWebModule
> ----------------------------------------------------
>
> Key: SHIRO-435
> URL: https://issues.apache.org/jira/browse/SHIRO-435
> Project: Shiro
> Issue Type: Bug
> Components: Integration: Guice
> Affects Versions: 1.2.1
> Reporter: Laszlo Ferenczi
> Assignee: Jared Bunting
> Attachments: SHIRO-435.path
>
>
> While integrating Shiro to our guice based webapp I've noticed
> something strange. The module setup is pretty much the same as the
> example in the Guice page of Shiro's documentation. Only extra code is
> that I'm exposing the WebSecurityManager like this:
> public class AuthModule extends ShiroWebModule {
> public AuthModule(ServletContext servletContext) {
> super(servletContext);
> }
> @Override
> @SuppressWarnings("unchecked")
> protected void configureShiroWeb() {
> IniRealm iniRealm = new IniRealm(Ini.fromResourcePath("classpath:shiro.ini"));
> bindRealm().toInstance(iniRealm);
> expose(WebSecurityManager.class);
> }
> }
> A guice injected SecurityManager instance is not the same as the
> cached static SecurityManager in SecurityUtils.
> @Path("/Ping")
> @Singleton
> public class PingResource {
> @Inject
> SecurityManager sec;
> @Inject
> WebSecurityManager websec;
> @GET
> public void ping() {
> SecurityManager man = SecurityUtils.getSecurityManager();
> assert(man == websec);
> assert(man == sec);
> }
> }
> First assert passes, second fails. Debugger confirms that there are 2
> instances in memory, both of them are of type
> DefaultWebSecurityManager but only the WebSecurityManager instance
> works. Any meaningful operation on "sec" will fail (like an
> authorization check).
> I think the problem might be the double binding of SecurityManager(s).
> One is bound in ShiroModule another is in ShiroWebModule:
> in ShiroModule:
> public void configure() {
> // setup security manager
> bindSecurityManager(bind(SecurityManager.class));
> in ShiroWebModule:
> protected final void configureShiro() {
> ....
> bindWebSecurityManager(bind(WebSecurityManager.class));
> Both of these methods are running at init time, hence the duplicated singletons.
> It might be better if ShiroWebModule would overrinde the standard
> configure() method to avoid this double-binding.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira